Weekends are sacred; most use them to relax and unwind but for some it's showtime! Taking advantage of the fact that a lot of security companies are more relaxed over the weekend, cyber criminals use the opportunity to strike. This weekend, the popular auto trading site Autotrader.co.uk and the cinema site Myvue.com both served ads that redirected the browsing user to malicious Web sites laden with exploits - a phenomenon also known as Malvertising. The Web sites themselves weren't compromised but were serving ads from an ad provider called Unanimis that led browsing users seamlessly - in the background and without their knowledge - to exploit sites. 

Unanimis serves ads to thousands of Websites and we've received reports that ebay.co.uk and londonstockexchange.com were also affected by this Malvertising campaign. One of the advantages that cyber criminals enjoy with Malvertising campaigns is that they can be easily spread across a large number of legitimate Websites without directly compromising those Websites, but indirectly through the use of a malicious ad. 

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Attack Details

The malicious ads were not served from the sites' main pages - in order for the exploit to work, specific ads would have to be loaded by the sites. For example at Autotrader.co.uk, a redirect to an exploit site through an ad would occur if the browsing user clicked on the button to search for a car, and at Myvue.com the same would happen if the browsing user clicked on the button to order movie tickets. It's at those points that more specific adverts are sent to the user's browser. 

Let's take a look at an example from Autotrader.co.uk. Here is an image that captures what happens in the background when a user searches for a car with any desired criteria:

The first step is the URL that the user is browsing to when searching for a car according to his/her desired criteria: you can see that as part of the URL it has the postcode (blurred), the price range etc. In the background Autotrader.co.uk loads some advertisements from some ad providers. At step 2 it loads the advertisement from a legitimate ad provider called Unanimis. The advertiser redirects to the advertisement in step 3. Step 3 redirects further to step 4, but no advertisement is shown. Step 4 is a site loaded with an exploit kit and several exploits are sent to the user's browser.

A car search with Autotrader.co.uk:

The Exploit

The Exploit site is heavily obfuscated and serves several exploits that target Internet Explorer, Adobe Acrobat Reader, and Java. We observed that the exploit kit used is very similar to an exploit kit called "Blackhole". Here are some of the detection rates of the PDF file exploit and the Java based exploit (JAR file). The dropped file installs a rogue antivirus on the user's computer - the software tells users that their computer is infected and offers a "cleaning antivirus" for $59.95. In the meantime the software disrupts the use and ordinary functionality of the computer by hogging CPU power, displaying disturbing pop-ups and more. The dropped file has low detection rate.

We have been following the exploit domains in this malvertising campaign for quite a long time now, and it seems that cyber criminals use fee-based advertising networks to propagate malware - that means cyber criminals are willing to pay in order to propagate malware. This goes hand in hand with Websense's threat Webscape predictions last year.

A snapshot of the exploit URL in Websense's ThreatSeeker Network (The "L" signifies it was captured with Real Time scanning):

The exploit site - heavily obfuscated code:

The rogue antivirus that is installed:

There are always different ways to make money. Cybercriminals know it, and their imagination is unlimited as far as we can tell. Sometimes they lure users into downloading a rogue AV as a treatment for an “infected computer”, other times they literally extort users to pay to get their own data or computer access back. Let's have a look into the infamous malware called ransomware.

In general we can divide this sort of malware into three separate categories:

1. file encrypters

2. system lockers

3. application lockers

    

Even though their application varies, the aim is always the same. The victim has to pay, otherwise the data/access will be lost for ever.

File encrypters

The first group represents the most notorious extortion tactic from the real world – “pay now otherwise you will not see it again”. It all started around 1989, when the first ransomware was introduced – PC Cyberg Trojan alias AIDS trojan horse. The basics have remained unchanged since. Once the trojan launches on a victim's computer, all custom data (files that are important from the user perspective) is encrypted and is therefore inaccessible to the user. With PC Cyberg the victim was asked to post the ransom to a PO Box in Panama; nowadays the criminals ask users to send either an SMS to a premium mobile number, or transfer money to online payment services such as Egold, Liberty Services or others. The payment varies from $20 up to $200 depending on the sophistication of the malware and greediness of the authors.

In 2004 Gpcode (known also as PGPCoder - Trojan-Ransom.Win32.GpCode) emerged into the world. Unlike PC Cyberg, which used a weak symmetric key for the whole encryption, Gpcode starts with RC4 and carries on up to AES-256 concealed into RSA-1024 public encryption - the symmetric encryption key is in the body of the virus encrypted by the RSA public key. This sophisticated method makes the cipher unbreakable and the victim has to either pay the ransom and hope for “honesty” from the attacker, or restore all data from the backup – if it exists. Once Gpcode finishes the encryption, the desktop changes and shows a notification of what has just happened with a message window explaining the same (Picture 1).

Picture 1 : Gpcode notification about encrypted files and the ransom request

Every folder with encrypted data contains a new file explaining the situation – either !_READ_ME_!.txt or HOW TO DECRYPT FILES.txt, and every encrypted file has a new extension added – either ._CRYPT or .ENCODED (Picture 2).

Picture 2 : Every folder contains the extortion text explanation

Files are not deleted so the recovery is theoretically possible unless the criminals are completely unscrupulous. You want to believe so, don't you?

The virus uses Microsoft Enhanced Cryptographic Provider to encrypt files built by default in Windows, which makes the whole operation extremely fast.

Since the first version of Gpcode has been discovered we have seen many different versions and also copycatting with weak or embedded keys. Nevertheless, this kind of malware can cause real harm to the victims unless all data has been freshly backed up.

System lockers

The second category contains malware that blocks access to the vital or essential parts of the system. From samples we have seen we could divide them into two types:

1. screen lockers

2. boot lockers

The former is performed by either blocking the access to the system interaction completely and showing an extortion message (Picture 3), or just partially covering the screen with an embarrassing image and message (Picture 4) – e.g. Trojan.Ransomlock or Trojan.SMSlock. As the message can “reveal” unwanted details about the victim (“you surfed porn sites for free now you have to pay”) the victims often pay without contacting any professionals to help them out.

Picture 3 : The access to the machine is blocked by the malware's notification screen

Picture 4 :  Embarrassing ad ransomware tactic.

Both of these were first seen around April 2009, and mostly in Russia where there is no problem getting hold of anonymous premium numbers - as opposed to other Western countries who ask for strong proof of identity. As with the previous category there is no assurance that the victim will receive the unlocking key once the text is sent. As happens with ransoms in general, the criminals can ask for more once they see the victim is willing to pay. Fortunately, this malware is not as sophisticated as the previously-mentioned one, so there is a chance to get hold of an unlocking utility or a code generator from the Internet.

The second type, boot lockers, replaces the MBR on the disk with an infected one blocking the booting sequence of the computer completely – e.g. Trojan.Bootlock. The message informs the victim about a way how to decrypt the disk by sending a text to a premium number (Picture 5). The criminals claim the whole disk has been encrypted and the only way to get the data back is to pay via uKash or paysafecard on www.safe-data.ru (Picture 6). Again, fortunately for the victims, there is no encryption on the hard drives, only a simple MBR replacement. Also, this particular malware has been using the same passwords continuously - aaaaaaciip and aaaaadabia.

Picture 5 : Ransomware replaces the MBR with an infected one blocking the PC boot sequence completely

Picture 6 : The criminals ask for a payment via online payment services

Application lockers

The last category is probably the least widespread and least dangerous one. The malware blocks access to specific applications or Web sites asking either for ransom, or more often for the victim to fill out a survey subscribing them to the premium rate mobile services – e.g. Yimfoca IM worm. If the victim declines to fill in the survey, access to the page remains blocked. Even restarting the machine does not help. However, other browsers can access the site with no problems.

Malware delivery

The delivery of malicious files is done via the usual malware channels – fake codecs or video players, embedded in illegal copies of programs, via spam, IM chats, comments on personal pages, or USB drives containing "special bonuses”. There is nothing new about the ways in which criminals try to compromise victims. Having said this, protection against such attacks is possible and Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Is ransomware a successor of scareware?

We dare to say it is not. Both malware groups try to convince the victim that there is no way to avoid paying money, although the approach is very different. With scareware the victims at least have a chance to resist the social engineering offering the only solution and work on the cleaning process on their own. With ransomware this chance hardly exists at all. Yes, there are many similarities and it is likely the same people stand behind both types of malware groups. However, in one case there is a "seller" offering the "products and services"; in the other one an extorter asking for ransom. Even though both are illegal and dishonest, the approach is different.

Restoration and Protection

Restoration of data or access depend on the kind of malware. In some cases it is possible to download a utility and clean the infected system, in other cases to replace malicious parts with clean ones. Unfortunately, there is no means to bypass malware such as Gpcode. Therefore the only protection is to keep up-to-date backups stored off the machine all the time. With cheap memory accessibility this should not be an issue at all. And, of course, services from Websense protect potential victims even against such obstacles as restoring data from backups.

To see how Websense protects our customers from Ransomware you can watch the following YouTube video:

Web sites don't necessarily have to be injected with malicious code (the kind of code that ends up delivering exploits to the user’s browser). In fact we see a LOT of Web sites that are injected with code used for black SEO purposes. This kind of code targets the visiting search engine instead of directly targeting the visiting user with exploits. This is a phenomenon also known as Spamdexing.

When search engines visit a Web site, they also look at the links that the Web site currently links to. Having a reputable Web site (for example CNN.com) link to your site (if you have one) will add to the reputation of your site from the search engine's perspective. The opposite is also true: if a reputable Web site links to a dodgy and not reputable Web site, that won't be good for the reputable Web site and will affect its reputation from the visiting search engine's perspective.

As part of spammers' and scammers' efforts to get good reputation to their cunning Web sites and their customers' sites, take for example Opole.pl: this official and pretty popular local Polish government Web site has had one of its sites injected with rogue links to pharmaceutical Web sites. 

The links are hidden from the user's browser (see the screenshot below), and since they have been injected to the Web site, it would probably be as easy to change them or add additional rogue links, like Iframes or scripts that can potentially lead to malicious content.

You might wonder: how common are hijacks like these? They're pretty widespread. The next graph shows the number of compromised/hijacked pages used for black SEO purposes so far this week. Bear in mind that this graph represents only one analytic that we have in ACE for spamdexing hijacks. The numbers are huge and the trend is clear - the bad guys are monetizing from such black SEO activities.

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Snapshot of the Injection in Opole.pl:

The official Web site of Opole Poland - Opole.pl:

Websense Security Labs™ gets to see a lot of large email spam campaigns that come through our ThreatSeeker™ Network. However, what's nice is that not only do we get to analyze and protect against the larger campaigns, we can also notice smaller campaigns or oddball variants.

A few days ago, we came across this interesting piece of email. Although small, it's interesting to see the crossover of malicious style compromises into the spam world. It also highlights the business model the spammers are going by... or perhaps it points to something more dangerous (more on that later).

Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

The process starts with an email that has a subject line like "The refreshed site of our company". The email message thanks the recipient for assisting them (the company) in solving a problem they had on their Web site, and urging the user to open it. Here are a couple of examples:

Figure 1:

Figure 2:

So, the spammers are using social engineering techniques to lure the user into clicking on the provided link. For an informed user, this type of text should raise a red flag - it is too generic to be legitimate, and doesn't really contain enough information about "the company". When I saw this email I immediately thought "malicious", since this type of social engineering is prevalent in malicious mails. Notice the "testimonials" about the "service" - what type of service?

However, the text is generic enough by itself to bypass content rules (unless specifically applied against this campaign). The links provided are pages on compromised legitimate Web sites, so the spammers are once again trying to bypass reputation-based filtering. All of this is very common these days.

Clicking on the provided links leads us to the compromised Web sites, where we see very little content on the specific pages:

Figure 3:

But what we do see is quite suspicious - obfuscated JavaScript. This further supports the notion that something malicious is going on. We could use one of the few handy tools we have here at Websense Security Labs™ to deobfuscate the HTML source, but instead, let's pause for a minute and try to do it manually.

We see the script starts by defining the variable ihe46 as a series of 2-3 digit numbers. If we scan the code further down we see a "for" loop that mentions +String.fromCharCode(kw1277). So we can understand that this loop will use the character code to create a string. The loop runs the length of the ihe46 variable, and uses its values to create the string... but wait, not the straight values, as we can see from this bit: {kw1277=ihe46[kmbi209]-65. In this case we need to deduct 65 from each number in the series to get to the real character codes we should be using. For example, the first number is 165, so we deduct 65, and see what the result (100) converts to - the letter "d" in the decimal code table. If we continue down the series we can arrive at the final string which reads:

Figure 4:

Following the link, I expected it to lead to a malicious Web site. Instead, a familiar face appeared:

Figure 5:

Yes, it's our friend the smirking Canadian pharmacist...

The other example, also obfuscated in the same way but with a different offset, leads to a similar result:

Figure 6:

This is not the first time we have seen a connection between malicious techniques and spam, such as back in September 2010 and June 2010, and it's no surprise since the infrastructure used to spread malicious and spam content is shared (botnets). What we are also reminded of here is how the business model of the spammers affects the way the spam is delivered. In this case, there's quite a departure from "normal" pharmaceutical spam. The initial email message has no related terms whatsoever. The spammers need the link to be clicked on to make their money... so they will use whatever technique they can to get the user to do that.  We can assume that the spammer's "clients" (owners of the various pharmaceutical sites) would prefer actual orders being placed on the final target site, so it's not clear how popular this technique will be for "straight spam". We do remember that any compromised site can be turned malicious, and we have seen, for example, how Zeus in the past redirected the victim to pharmaceutical sites after the victim's machine was exploited.

So, this campaign could either be a spam experiment... or maybe a staging/dry run for a malicious campaign. We'll have to wait and see.

In the meantime, we suggest resisting the temptation to see how you helped an unknown company improve their Web site...

Here at Websense Security Labs™, our ThreatSeeker™ Network brings us multiple incidents daily.  With all of our sources coming into one central area, it can be overwhelming to connect the dots and figure out the context for an incident -- where it's coming from and how it's being used.  In this blog post, we hope to show how we are able to handle so much data, and to provide a peek at the benefits of some of our automated systems.  As an example, we'll use an incident reported by Defensio: a URL that Defensio found in a post that was determined to be spam. 

If you want to protect your employees from these types of attacks, check out our Advanced Classification Engine. If you want to protect your blog or Facebook pages, check out Defensio.

Here is a screenshot of the sample URL:

As you can see above, there is a link to download the supposed crack for Nero software.  Clicking the link actually downloads a Trojan Dropper meant to install Rogue AV software, both of which have little AV coverage, on your computer.  The URL originated from one of the top spam-posting IP addresses that we have seen with Defensio. So let's take a look at the IP address that posted the spam comment, which Defensio blocked. 

Here is a screenshot of the whois information for the IP address:

As we can see above, this IP address is in the Ukraine, and seems to belong to a home user.  That's a little bit of interesting information, but we can go deeper and find out what else we have seen from the whole ASN to which this IP address belongs.  For this information, we have to go to our ThreatSeeker Web interface.

Here is the screenshot of the ASN report:

There's lots of bad stuff coming from that ASN!  The red tells us that the ASN has a bad reputation based on the content that it sends out.  We can also see that most of the sites hosted on that ASN seem to be FF(Fast Flux) sites, which probably means that the ASN is riddled with bot activity.  Going back to the whois information on the IP address, since it looks to be a home user, bot activity makes sense.  While it's reasonable that a home user would be posting comments to blogs, a home user probably wouldn't be one of the top posters for spam comments. That strongly suggests that a bot running from a home user's computer is posting the spam.  Another interesting thing to notice about the screenshot above is that most of the URLs listed are also very young in age, designated by the D# showing in the context column.  So we have a bad poster of spam comments coming from an ASN that also seems to host quite a bit of bad stuff!  This is probably no coincidence.  :)

We have seen quite a few stories about embedding spyware or malware into popular software where careless users can easily download to their PCs. Embedding is a common tactic used to spread malware as it can easily be distributed through self-extracting packages that can be imported to multiple platforms like mobile devices. Mobile users typically have less control of their devices compared to PC users; therefore more care should be taken when installing applications onto mobile devices.

Today the author of a popular android game Tank Hero - abaybas - claimed that he was approached by a suspicious company who was willing to pay him money to embed a spyware into the game application. Abaybas immediately refused this request and instead, decided to publish details of this proposal on his website. Thanks to him, I can continue to play Tank Hero on my cell phone worry-free.

It would be good if everyone is as ethical as abaybas. It is better to be safe, so you should only trust applications from legitimate application providers. Some service providers offer security by locking up the mobile device to specific application providers. In addition, the permission list is checked before the installation. Particular attention is paid to applications that require permission, like the one shown below:

,

Note: The actual list is much longer.

For better safety, mobile security applications provided by security organizations should also be considered.

The BBC - 6 Music Web site has been injected with a malicious iframe, as have areas of the BBC 1Xtra radio station Web site.  At the time of writing this blog, the sites are still linking to an injected iframe.

Websense customers are protected with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

Screenshot of injected malicious iframe:

The injected iframe occurs at the foot of the BBC 6 Music Web page, and loads code from a Web site in the .co.cc TLD.  The iFrame injected into the Radio 1Xtra Web page leads to the same malicious site.

If an unprotected user browsed to the site they would be faced with drive-by downloads, meaning that simply browsing to the page is enough to get infected with a malicious executable.

The payload is delivered to the end user only once, with the initial visit being logged by the malware authors.

The code that is delivered to end users utilizes exploits delivered by the Phoenix exploit kit. A malicious binary is ultimately delivered to the end user. The VirusTotal detection of this file is currently around 20%.

This attack is part of a current mass-injection targeting vulnerable Web sites.  We shall continue to investigate this threat and offer protection to our customers from this and similar attacks.

Over the past few days there has been a lot of talk and media reports about an attack named Night Dragon. Night Dragon targets the U.S. oil, gas, and petrochemical companies. It steals proprietary and confidential information from executives by using a combination of social engineering, Remote Access Trojans (RATs), and SQL injection attacks to gain access to external and internal hosts inside companies.

This attack is not unlike others we have seen in recent weeks. To accomplish these targeted attacks, it typically includes a combination of social engineering and publicly available RAT applications. In the case of Night Dragon, it uses a RAT called zwShell. Other common trojans used in these types of attacks include Gh0st RAT and Poison Ivy, all of which are readily available for download. Unlike the Aurora trojan, where large companies were attacked late 2009, the Night Dragon trojan doesn’t use 0-day exploits to gain access to hosts.

Traditional security not capable of preventing
Attacks of this nature, where the attackers have specific objectives in mind, are very difficult to prevent. Much of the focus is concentrated on preventing the attack from occurring in the first place. Whilst this is the best thing to do, it’s very difficult to achieve. There is no single silver bullet for security, but Websense provides Data Loss Prevention (DLP) products - a proven data protection solution that is capable of securing data by preventing and blocking data leaks, even if the connection is encrypted. If the data is not allowed to leave the organization, regardless of the method (HTTP, HTTPS, email, USB devices, smartphones etc.), then the trojan is blocked and the attack fails. Protecting the assets that the attackers seek is an effective way to thwart these attempted attacks.  The DLP component is just one of several technologies in TRITON that we at Websense can provide to mitigate and protect against these types of attacks.

Last night I had the privilege of participating in a panel discussion at the Frontline Club in London, UK.  The topic for discussion was 'Will the Internet be the battleground of the 21st century?'.

The discussion covered recent examples of Advanced Persistent Threats and the importance of informed security-focused decision-making.  We looked at the topic from different angles: from the strategic viewpoint – how organizations should best prepare themselves to mitigate the effects of a breach of their network, and from a personal viewpoint – looking at the impact of cyber crime on individuals.

Also on the panel were Peter Sommer (co-author of the OECD study 'Reducing Systemic Cybersecurity Risk'), Claire Yorke (co-author of the Chatham House Report ‘On Cyber Warfare’) and Dr Rex Hughes (a fellow in Cyber Security at Cambridge University).  The event was chaired by Ben Hammersley, editor at large of WIRED UK.

I’m sure both security researchers and members of IT security teams will attest to the effects of malware, targeted attacks, and attempts to breach our network infrastructure occurring ever more frequently in our advanced Internet-dependent society.  Certainly in the Websense Security Labs we witness an ever-increasing number of malicious Web sites, targeted attacks, and increasingly complex threats using multiple attack vectors.  These attempts are made to disrupt operations and retrieve valuable data within organizations distributed around the world.

At the end of this event it was clear to me that the need for organizations to carefully review their security position has never been greater.  The current climate of the threat landscape lends itself to us needing to think carefully about the security solutions that we implement within our organizations, not just at a technical level, but also at a policy level.  For example, if as an organization you wish to embrace Web 2.0 and allow employees to utilize social networking, you can do so.  The important part is to ensure you have enabling technology that permits this to occur safely, and protects against the risks that are associated with the use of these sites.

Thankfully with debates like this occurring we can help push forward the message, share experiences, and work towards making our Internet a safer place in which to do business.

The background to the event can be seen here.
If you are interested in seeing a recording of the debate you can watch the video archive linked from the Frontline Web site.

To find out how Websense protects our customers from modern threats you should explore our Advanced Classification Engine here.

Month of January

Major Hits

Billy Rios brought up a neat way to bypass Flash's local-system sandbox. To get the local files from the hard drive to an external server, he needed to use a non-blacklisted protocol handler. His PoC shows how how the MHTML protocol handler can break the strongly defined restrictions that Adobe Flash has. As the method looked so cute, somebody got inspired and successfully tried the same protocol against Microsoft too.

We had at least two more victims of malicious hacking this month. Lush left their customers vulnerable to credit card fraud for several months, and Trapster leaked more than 10 million registered users' details. Sometimes being warned about speed cameras is not actually that valuable.

On 27th January 2011 the world blacked out. At least for Egypt. All communication channels were suspended by the national government in an apparently desperate effort to block political protests. More than 80 million people stopped communicating. You should probably book holidays in a different location this year.

Open source software development and distribution portal SourceForge was hit by a major attack. This action exploited several of their servers and many others have been shut down proactively. It looks like "you-know-who" does not like open source at all. Who is "you-know-who" though?

Unlike the Egyptian government, Tunisia apparently decided to keep their communications on but intercept all user names and passwords for the major Web 2.0 portals, including Gmail, Facebook, and Yahoo. An injected code was found on all of the mentioned Web sites "siphoning off login credentials". One government rules them all. By the way, Tunisia is not the greatest destination for this year either.

Amazon was apparently gimmicking Gawker. A failing security implementation caused issues with older Amazon.com accounts' passwords, making them case-insensitive or allowing added-on extra characters. So a password "protected" was the same as "PROTECTED" or even better, as "ProtecTED1234" and so forth. This applied to older accounts only, so simply by changing your password to a new one (or even the same one) make things much more secure. Have you been with Amazon for a long time now? Go and change your password "just for fun".

Web 2 dot uh oh

A slew of malicious attacks streamed Facebook this month. A worm, disguised as a photo viewer application, tricked users into installing the said malware when the "View Photo" button was clicked. Koobface is making its rounds once more and employing a couple of new tactics at hand as a new campaign spread using compromised accounts to send out direct messages. French President Nicolas Sarkozy and Facebook CEO Mark Zuckerberg's fan pages were apparently hacked and were used to distribute unusual political messages. 

Facebook celebrated Data Privacy Day by offering its users the option to enable HTTPS connections. They also introduced Social Authentication, a concept very similar to Image CAPTCHA, but instead of using dictionary images, this feature uses actual pictures of a user's Facebook friend and asks him or her to name that person. 

Malware authors abused Google's redirection service, goo.gl, in their Twitter worm campaign which ultimately redirects users to fake AV sites.

Browser and friends

Google Chrome has fixed multiple vulnerabilities in stable channel versions prior to 8.0.552.237. These vulnerabilities include a stack corruption vulnerability in the PDF renderer component, two memory corruption vulnerabilities in the Vorbis decoder, and a video frame size error resulting in a bad memory access.

The VirusTotal Web site released a plugin for Firefox named VTzilla. It allows users to scan downloads directly with VirusTotal's Web application before storing them. Moreover, it will not only scan files, but also URLs.

Apple fixed a man-in-the-middle attacker vulnerability in OS X 10.6. This vulnerability may be able to cause an unexpected application termination or arbitrary code execution if using a special formatted string in PackageKit's handling of distribution scripts.

Microsoft

The start of 2011 feels a bit far away by now but it was just the start of the year that unleashed a new zero day vulnerability in Microsoft’s Graphical Rendering Engine (CVE-2010-3970). The exploit takes advantage of the way thumbnails or previews are processed and presented to the user by Explorer.exe and can be triggered by crafting an exploit file and sending it to a target (the victim must view the file in a folder where thumbnails or previews are set). The security hole hasn't been patched yet and was added to the Metasploit framework. 

January’s patch Tuesday brings an end to 3 major security holes in two released updates. One critical update fixes two issues in Microsoft Data Access Components (MDAC) where one of them could allow taking over a targeted system by visiting a specially crafted Web page (MS11-002). The second update fixes an issue in Microsoft Backup Manager where opening a legitimate remote Windows backup manager file can load a specially crafted malicious library – if located in the same directory (MS11-001). No attacks for any of the updates have been spotted in the wild. There are two holes in Windows that are yet to be patched, the mentioned vulnerability in Microsoft’s Graphical Rendering Engine and a vulnerability in Internet Explorer’s Cascading Style Sheets (CVE-2010-3971). We alerted on both vulnerabilities here and here. If you're wondering why Microsoft didn’t release a patch for those two holes in January’s patch Tuesday despite the fact that they have publicly available proof-of-concept code, how they prioritize patches is explained in their Research and Defense blog.

The end of January brings a vulnerability in Windows: this time it’s not remote code execution but a vulnerability in the MHTML protocol handler that could allow “information disclosure”. This effectively means that the MHTML protocol could be used to perform an XSS attack on the local machine when a user opens an HTML file with Internet Explorer (any version of it). More details on a workaround to prevent this attack and some examples in Microsoft Security Research and Defense blog

Some good news for Microsoft as it released some updates to its secure development tools suite. One of the tools is called “Attack Surface Analyzer” which aims to give security professionals a clear picture of an installed application's changes to the system, allowing them to determine any security implications. It does that by “diffing” the state of the system before and after the application is installed. The tool is in Beta and available for 64bit version of Windows only. More details about the tool here. 

Hello ThreatSeeker. You've got mail!

Security Trends